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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

• Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

• If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

• If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 
- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.O. § 133). 

Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )I3 Responsive to communication(s) filed on 04 December 2003 . 
2a)D This action is FINAL. 2b)[3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) E3 Claim(s) 19 and 21-35 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) 03 Claim(s) 19 and 21-35 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) 13 The drawing(s) filed on 25 September 1997 is/are: a)D accepted or b)!3 objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attach ment(s) 

1) K Notice of References Cited (PTO-892) 

2) CD Notice of Draftsperson's Patent Drawing Review (PTO-948) 
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4) d Interview Summary (PTO-413) 
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5) CH Notice of Informal Patent Application (PTO-152) 
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U.S. Patent and Trademark Office 

PTOL-326 (Rev. 1-04) 
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DETAILED ACTION 



This action is in response to paper number 35, Appeal Brief, filed on 12/4/03. 



2. Applicants request for reconsideration of the finality of the rejection of the last Office 
action is persuasive and, therefore, the finality of that action is withdrawn. 

3. Claims 19 and 21-35 are pending in the application. 



4. The drawings are objected to under 37 CFR 1 .83(a). The drawings must show every 
feature of the invention specified in the claims. Therefore, the "learning period" must be shown 
or the feature(s) canceled from the claim(s). No new matter should be entered. 

A proposed drawing correction or corrected drawings are required in reply to the Office 
action to avoid abandonment of the application. The objection to the drawings will not be held 
in abeyance. 

5. The drawings are objected to because of a spelling error in Fig. 3, item 38. The term 
"THRED" should be spelled "THREAD." A proposed drawing correction or corrected drawings 
are required in reply to the Office action to avoid abandonment of the application. The objection 
to the drawings will not be held in abeyance. 



The following is a quotation of 35 U.S.C 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 



Drawings 



Claim Rejections - 35 USC § 103 
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having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

6. Claims 19, 21-35 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shieh et al. (hereinafter Shieh) (US 5,278,901) in view of Crosbie et al. (hereinafter Crosbie) 
"Active Defense of a Computer System using Autonomous Agents". 

7. As to claim 19, Shieh teaches an apparatus for ensuring the integrity of an application 
executed on a computer having data storage arranged sectorwise comprising: 

- an enforcement device, operative after said period is over, for identifying and preventing 
said application from accessing elements of data storage that do not correspond with the 
normal behavior of said application ("pattern-oriented instruction detection system and 
method that defines patterns of intrusion see Abstract, "intrusion detection system 

see Fig. 2, item 215, col 9, lines 5-6 and 67, "present protection graph 205", col. 9, line 
65, col 18, lines 50-56); 
Shieh fails to explicitly teach: 

- apparatus for learning about the normal behavior of said application to said data storage 
arranged sectorwise by monitoring accesses of said application to elements of said data 
storage during a limited period; 

8. However, Crosbie teaches an intruder detection system that recognizes the intruder, 
learns about the intrusions, and deals with the intrusions when detected ("Intruder recognition", 
"Learning about intrusions ", "Response to an intrusion page 4, right hand column, page 2, 
right hand col, lines 36-39, page 6, left hand col Lines 33-36, righ hand col Lines 8-10). 
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9. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to combine the teachings of Shieh and Crosbie because Crosbie's feature of learning 
about the normal behavior of said application by monitoring accesses of said application to 
elements of said data storage would improve the accuracy of dealing with the intrusion. The 
knowledge learned about intrusions is used in future decisions of responding to an intrusion 
("learn about intrusions and use that knowledge in future decisions", page 4, col 2, 2 nd bullet 
point). 

10. As to claim 21, Crosbie teaches an apparatus wherein said enforcement device is 
operative to prompt a user to give specific permission, upon occurrence of an attempt of the 
program to access files not accessed during said learning period. Crosbie teaches a system which 
recognizes intrusions, learns about the intrusions, and responds/deals with the intrusions that are 
detected and are based by a human operator ("anomalous activity", "human operator", page 6, 
col 2, "Intruder recognition", "Learning about intrusions", "Response to an intrusion", page 

4, col 2, "observe deviations from normal behaviour", page 5, col 1, "Cooperative 
monitoring", see Abstract). Shieh in view of Crosbie fails to explicitly teach that the verification 
data for each program is stored in a file and that file is accessed for verification. However, 
"Official Notice" is taken that both the concept and advantages of providing that data can be 
stored in a file is well known and expected in the art. It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to include a file that contained the 
verification data of each program to the existing system for the reason of increasing organization 
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of the program by keeping the verification information for a particular program in one area. It 
makes it simpler for the respective program to access the information. 

11. As to claim 23, it is rejected for the same reasons as stated in the rejection of claim 2 1 . 
Furthermore, it is obvious that there is more leniency to access files with user permission 
because there is no leniency without permission. 

12. As to claims 22 and 24, Shieh teaches an apparatus for ensuring the integrity of a 
computer application to be run in association with a computer having data storage arranged 
sectorwise in a storage device, comprising: 

- apparatus for assigning a general enforcement file to each new program ("protection sets 
help define the targets of intrusion detection", col 8, lines 19-20 f "audit trails", 
"protection graph", col 8, lines 37-49); 

Shieh fails to explicitly teach: 

- apparatus for learning about the program by monitoring the program of said data storage, 
by monitoring the program's attempts to make file accesses during a learning period; 

- an enforcement device operative, after said learning period is over, to treat attempts of the 
program to access files accessed during said learning period more leniently than attempts 
of the program to access files not accessed during said learning period, said enforcement 
device is based at least on instances of specific permission being given by the user to said 
application to access locations of said data storage, wherein said enforcement device 
treats attempts of said application to access locations of said data storage to which the 
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user has permitted to access during said learning period more leniently than attempts of 
the program to access files to which the user did not permit access during said learning 
period. 

13. However, Crosbie teaches a system which recognizes intrusions, learns about the 
intrusions, and responds/deals with the intrusions that are detected and are based by a human 
operator ("anomalous activity", "human operator", page 6, col 2, "Intruder recognition", 
"Learning about intrusions ", "Response to an intrusion page 4, col 2, "observe deviations 

from normal behaviour " f page 5, col 1, "Cooperative monitoring", see Abstract). Shieh fails to 
explicitly teach that the verification data for each program is stored in a file. However, "Official 
Notice" is taken that both the concept and advantages of providing that data can be stored in a 
file is well known and expected in the art. It would have been obvious to one of ordinary skill in 
the art at the time the invention was made to include a file that contained the verification data of 
each program to the existing system for the reason of increasing organization of the program by 
keeping the verification information for a particular program in one area. It makes it simpler for 
the respective program to access the information. 

14. As to claim 25, it is rejected for the same reasons as stated in the rejection of claim 24. 

15. As to claim 26-28, Crosbie teaches a method further comprising enabling the user of said 
first application to determine said normal behavior during said learning period (see rejection of 
claims 24 and 25). 
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16. As to claim 29-34, Shieh in view of Crosbie teaches a method further comprising 
detecting attempts of a daughter or second application of said first application to access elements 
of data storage that do not correspond to said normal behavior as determined by said 
enforcement file and inhibiting said accesses, thereby preventing the damage thereupon. It is 
rejected for the same reasons as stated in the rejection of claims 22 and 24. In addition, Shieh 
teaches detection on two applications ("detection of unintended use of foreign programs and 
detection of virus propagation'', col. 4, lines 10-23). 

17. As to claim 35, it is obvious to have a second application is executed on a second 
computer for the reason of increasing the speed of running the application by not using the 
resources of the first computer to run the second application. 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kenneth Tang whose telephone number is (703) 305-5334. The 
examiner can normally be reached on 8:30AM - 7:00PM, Monday through Thursday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Meng-Ai An can be reached on (703) 305-9678. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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